Extending Active Directory Users and Computers with Custom Attributes

4/5 - (2 votes)

If you’ve ever wanted to add columns for unlisted attributes to Active Directory Users and Computers, you’ve been out of luck without editing the displaySpecifiers manually.

Until I had enough of it.

How does it work?  I’m so glad you asked.  So, if you’re not familiar with the functionality that I’m talking about, open up Active Directory Users and Computers (or ADUC, since we make acronyms out of every damn thing), select an OU, right-click, point to View and then click Add/Remove Columns.

From here, you’ll see the familiar list of column titles that you can add to the view.

So what happens when the column you want to view isn’t there?  You’re SOL, right?

Not exactly.  Crack open ADSIEdit.msc and let’s go exploring.  You’ll want to connect to the configuration container, and then expand the Configuration Naming Context, expand CN=Configuration,DC=domain,dc=com, expand CN=DisplaySpecifiers and select CN=organizationalUnit-Display in the main window.

Double-click CN=organiztionalUnit-Display and scroll down to extraColumns.  This is where you can add items to display in ADUC.  You’ll notice that by default, it is null (<not set>).

This is a multivalued attribute, and the format is:

attributeName,Attribute Column Title,<visibility>,<width>,<reserved>

So, if you wanted to add extensionAttribute1 and have the column name display as “Extension Attribute 1,” set the visibility to “True” (which will equate to “always on”), and the column width to auto, it would look like this:

Click add, and OK.  Piece of cake, right?


After you close and reopen ADUC, you’ll see that you now can ONLY select that column and a few base properties, but all of the others have disappeared.

Great job, Aaron!  Now you’ve really messed it up.

What happened?  When you populate the extraColumns attribute, that becomes the authoritative list for additional properties to surface in ADUC. How do we fix it?

  1. Go back to ADSIEdit.
  2. Clear the extraColumns attribute for CN=organizationalUnit-Display.
  3. Run the script I wrote.

So what’s special about the script I wrote?  It pulls in all of the display specifiers in cn=default-Display and then adds your new one.  Here’s what it looks like:

Now, when you close and re-run ADUC, you’ll see all of the properties you previously had available.

And there you go.  You can get this latest installment of wizardry by going to the Technet Gallery or following the link below.  Happy modding!


Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

  1. I used:

    telephoneNumber,Telephone No,1,90,8


    By emending the ExtraColumns on the CN=OrganizationalUnit-Display object, the ADUC View Menu, Add More Columns is completely empty after doing this!

    Additionally, consider adjusting the CN=default-Display instead.

  2. how to ad OU path in Add/Remove column in LDAP query result.
    If I am finding computer or user object in AD, then it should have provide me the OU path as well. is it possible, via doing adsiedit ?

  3. Thank you Aaron for this.
    “I tried looking into “Search Folders” and saved queries, but that appears to pull from a list defined elsewhere. I’ll keep poking around and post back if I find anything.”
    Did you find anything…?

    1. There’s a refernece to them saved in %UserProfile%\AppData\Roaming\Microsoft\MMC\dsa (it’s an XML file), but beyond that, I couldn’t find out anything more.

  4. Hi there, Thanks this look like just what I need !
    But I’m a French user, and not sure if I should use the 40C Language code or 409 …
    Is there a way to be sure of that variable?
    is it as simple that the language of the System running the Domain Controler ?

    1. I would start with the language being used on your DCs. But, there shoudn’t be a problem updating both. I’d recommend backing up your DC and configuration container first, just in case. 🙂

  5. Hi thanks, this looks promising for me. I need to add a column for “AccountExpires” or “AccountExpirationDate”. As mentioned before with the “pwdLastSet” – the column shows up, but no data. I tried both “AccountExpires” and “accountExpires”.

  6. Hi, this looks promising for me. I need to add a column for “AccountExpires” or “AccountExpirationDate”. As mentioned before with the “pwdLastSet” – the column shows up, but no data. I tried both “AccountExpires” and “accountExpires”.

  7. Thanks Aaron, this is perfect!
    I’m now trying to add my columns to the ‘Find Computers’ search window – do you know which display specifier this would be in?

    1. I don’t know if it’s possible. The custom display specifiers don’t show up there, either, for users. I tried looking into “Search Folders” and saved queries, but that appears to pull from a list defined elsewhere. I’ll keep poking around and post back if I find anything.

    1. What do you mean by “similar thing with Exchange 2013”? If you mean editing the ASP/html files for the web console, no. But if you mean adding Exchange attributes to the ADUC console, yes. You can actually use any attribute in the AD schema.

  8. Thank you for this, very helpful. Question…I needed to added a column to CN=container-Display so see the column in the default users container. That went well, however, the script will not add all the default display identifiers back to cn=default-Display; looks like they are missing from CN=organizationalUnit-Display as well. Can you help?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.